Twilio Demonstrates Why Courts Should Review Every National Security Letter

Twilio Demonstrates Why Courts Should Review Every National Security Letter

The list of companies who exercise their right to ask for judicial review when handed national security letter gag orders from the FBI is growing. Last week, the communications platform Twilio posted two NSLs after the FBI backed down from its gag orders. As Twilio’s accompanying blog post documents, the FBI simply couldn’t or didn’t want to justify its nondisclosure requirements in court. This might be the starkest public example yet of why courts should be involved in reviewing NSL gag orders in all cases.

National security letters are a kind of subpoena that give the FBI the power to require telecommunications and Internet providers to hand over private customer records—including names, addresses, and financial records. The FBI nearly always accompanies these requests with a blanket gag order, shutting up the providers and keeping the practice in the shadows, away from public knowledge or criticism.

Although NSLs gag orders severely restrict the providers’ ability to talk about their involvement in government surveillance, the FBI can issue them without court oversight. Under the First Amendment, “prior restraints” like these gag orders are almost never allowed, which is why EFF and our clients CREDO Mobile and Cloudflare have for years been suing to have the NSL statute declared unconstitutional. In response to our suit, Congress included in the 2015 USA FREEDOM Act a process to allow providers to push back against those gag orders.

The new process (referred to as “reciprocal notice”) gives technology companies a right to request judicial review of the gag orders accompanying NSLs. When a company invokes the reciprocal notice process, the government is required to bring the gag order before a judge within 30 days. The judge then reviews the gag order and either approves, modifies, or invalidates it. The company can appear in that proceeding to argue its case, but is not required to do so.

Under the law, reciprocal notice is just an option. It’s no substitute for the full range of First Amendment protections against improper prior restraints, let alone mandatory judicial review of NSL gags in all cases. Nevertheless, EFF encourages all providers to invoke reciprocal notice because it’s the best mechanism available to Internet companies to voice their objections to NSLs. In our 2017 Who Has Your Back report, we awarded gold stars to companies that promised to tell the FBI to go to court for all NSLs, including giants like Apple and Dropbox.

Twilio is the latest company to follow this best practice. It received the two national security letters in May 2017, both of which included nondisclosure requirements preventing Twilio from notifying its users about the government request. And both times, Twilio successfully invoked reciprocal notice, leading to FBI to give permission to publish the letters. This might seem surprising, given that in order to issue a gag, the FBI is supposed to certify that disclosure of the NSL risks serious harm related to an investigation involving national security.

But rather than going to court to back up its certification, the FBI backed down. It retracted one of the NSLs entirely, so that Twilio was not forced to hand over any information at all. For the other, the FBI simply removed the gag order, allowing Twilio to inform its customer and publish the NSL.

This is not what the proper use of a surveillance tool looks like. Instead, it reveals a regime of censorship by attrition. The FBI imposes thousands of NSL gag orders a year, and by default, these gag orders remain in place indefinitely. Only when a company like Twilio objects, does the government have any minimal burden of showing its work. Without a legal obligation to do so in all cases, the FBI can simply hope most companies don’t speak up.

That’s why it’s so crucial that companies like Twilio take responsibility and invoke reciprocal notice. Better still,Twilio also published a list of best practices that companies can look to when responding to NSLs, including template language to push back on standard nondisclosure requirements. (Automattic, the company behind Wordpress, published a similar template last year.)

As the company explained, “The process for receiving and responding to national security letters has become less opaque, but there’s still more room for sunlight.”

We couldn’t agree more. Hopefully if more companies follow the lead of Apple, Dropbox, Twilio and the others who received stars on our report, the courts and Congress will see the need for further reform of the law.

Related Updates

In a disappointing opinion issued on Monday, the Ninth Circuit upheld the national security letter (NSL) statute against a First Amendment challenge brought by EFF on behalf of our clients CREDO Mobile and Cloudflare. We applaud our clients’ courage as part of a years-long court battle, conducted largely...

As a civil liberties organization, it’s our job to evaluate how tech companies handle our most private data and to encourage them to do better year over year. Our Who Has Your Back report is designed to do both, which is one reason we revisit the report’s criteria every...

San Francisco, California—While many technology companies continue to step up their privacy game by adopting best practices to protect sensitive customer information when the government demands user data, telecommunications companies are failing to prioritize user privacy when the government comes knocking, an EFF annual survey shows. Even tech giants such...

San Francisco, California—The Electronic Frontier Foundation (EFF) sued the Justice Department today to obtain records that can shed light on whether the FBI is complying with a Congressional mandate that it periodically review and lift National Security Letter (NSL) gag orders that are no longer needed. The FBI...

In a newly unsealed case [.pdf], a Los Angeles federal court ruled that Adobe could not be indefinitely gagged about a search warrant ordering it to turn over the contents of a customer account.
This is important work by Adobe. Gag orders almost always violate the First Amendment; they...

San Francisco – The Electronic Frontier Foundation (EFF) will urge an appeals court Wednesday to find that the FBI violates the First Amendment when it unilaterally gags recipients of national security letters (NSLs), and the law should therefore be found unconstitutional. The hearing is set for Wednesday, March 22, at...

The FBI appeared to go beyond the scope of existing legal guidance in seeking certain kinds of internet records from Twitter as recently as last year, legal experts said, citing two warrantless surveillance orders the social media company published on Friday. Andrew Crocker, a staff attorney at the Electronic Frontier...

Annual celebrations of the life and work of Reverend Dr. Martin Luther King, Jr. often lionize the civil rights era, rightfully focusing on its achievements.
For 40 years, FBI Director J. Edgar Hoover presided over a reign of intimidation and terror across Washington. But celebrations often overlook the federal...

We’re happy to be able to announce that Cloudflare is the second courageous client in EFF’s long-running lawsuit challenging the government’s unconstitutional national security letter (NSL) authority. Cloudflare, a provider of web performance and security services, just published its new transparency report announcing it has been fighting...

For the past three years, Credo, represented by the nonprofit Electronic Frontier Foundation, has been fighting in court both the constitutionality of the FBI’s request and the bureau’s demand that Credo stay silent. The fight over the legality of the request is ongoing, but earlier this year, the Federal District...